Category | Details |
---|---|
Threat Actors | CoughingDown threat group (potential attribution) |
Campaign Overview | Deployment of the EAGERBEE backdoor at ISPs and governmental entities in the Middle East. New service injector and plugins uncovered. |
Target Regions | Middle East |
Methodology | DLL hijacking vulnerability exploited. Use of backdoor injector (“tsvipsrv.dll”) and payload file (“ntusers0.dat”). Timestamp manipulation and setting file attributes as hidden and system files. Commands executed for lateral movement using stolen credentials. |
Products Targeted | Microsoft Windows environments, including Active Directory Domain Services (AD DS) |
Malware Reference | EAGERBEE backdoor Service injector targeting Themes service Plugin Orchestrator and associated plugins |
Tools Used | PowerShell attrib.exe rar.exe |
Vulnerabilities Exploited | DLL hijacking vulnerability |
TTPs | • Timestamp manipulation of malicious files. • Use of mutex for execution. • Collection of system and network details. • Connection through proxies to C2 servers. • Injection of plugins into memory. • Use of remote shell and persistence techniques. • Reflective DLL injection. |
Attribution | Potential connection to CoughingDown threat group |
Recommendations | • Restrict execution of untrusted DLLs. • Monitor for suspicious process creations and unusual network connections. • Implement robust privilege management. • Apply patches to mitigate DLL hijacking vulnerabilities. • Use endpoint detection and response (EDR) tools to monitor for backdoor activity. • Enforce strict file access and attribute modification policies. |
Source | Securelist by Kaspersky |
Read full article: https://securelist.com/eagerbee-backdoor/115175/
The above summary has been generated by an AI language model
Leave a Reply